[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP with SASL: No principal in keytab matches desired name



Hi, All!

We are using OpenLDAP + Kerberos to perform user validation here, and now I need to enable OpenLDAP's SASL authentication (to use with Cyrus IMAP and QMail). I'm testing it with OpenLDAP (2.2.13 - Fedora Core 3), but, when I try to perform a search - like:

# ldapsearch -h my.host.name -Y GSSAPI

(after doing a kinit), I get the message:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)


Question is: what principal is missing?? I tryed running slapd with various debug flags, but is says only:

conn=0 fd=10 ACCEPT from IP=143.106.77.85:33134 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="" method=163
SASL [conn=0] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)
conn=0 op=0 RESULT tag=97 err=80 text=SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)
conn=0 fd=10 closed


My /usr/lib/sasl2/slapd.conf has only one line:

auxprop_plugin: slapd

and I _do_ have a ldap/my.host.name at my keytab:

# ktutil
ktutil: rkt /etc/openldap/slapd.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
2 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
3 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
4 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
ktutil:


(the "srvtab" parameter at my slapd.conf points to the file above)

This host is DNS-resolving itself fine in both direct and reverse ways, and I'm running slapd as root (for tests). Using ldapsearch with simple auth works file (with and without TLS). I have saslauthd running (and it is working with testsaslauthd, and with sasl-sample-server/client, using GSSAPI mech.)

The slapd.conf I'm using looks like this:

----------------------------------------------------------------
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

TLSCACertificateFile /usr/share/ssl/certs/cacert.pem
TLSCertificateFile /usr/share/ssl/certs/myhost.pem
TLSCertificateKeyFile /usr/share/ssl/certs/myhost.key

sasl-host damasco.ime.unicamp.br
srvtab /etc/openldap/slapd.keytab
sasl-regexp UID=([^,]*),CN=.* UID=$1,OU=People,DC=teste,DC=com

# FOR TEST ONLY!
access to * by * write

database        bdb
suffix          "dc=teste,dc=com"
rootdn          "cn=boss,dc=teste,dc=com"
rootpw                  teste

directory       /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
----------------------------------------------------------------

Btw, after running ldapsearch, klist shows me a service principal, in addition to my own one:

# klist
Credentials cache: /tmp/krb5cc_0

Default principal: me@ROOT.IME.UNICAMP.BR, 2 entries found.

[1]  Service Principal:  krbtgt/ROOT.IME.UNICAMP.BR@ROOT.IME.UNICAMP.BR
    Valid starting:  Dec 22,  2004 12:39
    Expires:         Dec 23,  2004 12:39
[2]  Service Principal:  ldap/my.host.name@ROOT.IME.UNICAMP.BR
    Valid starting:  Dec 22,  2004 12:39
    Expires:         Dec 23,  2004 12:39

This thing is really getting me crazy...

Some hint??

Thanks in advice!!